Article Directory
Analysis on the phenomenon of interception in the back end of POST request parameters
Overview
What happens if the post request is submitted through the submit of the form form, and the same parameters are added to both the url and the request body?
Cause
The parameter was cut off during the production process, and the problem could not be located.
Replay
- 1. Test the demo
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<div>
<button onclick="doPrint()">发送</button>
</div>
</body>
<script>
function doPrint(){
var consArray = new Array();
for(var i=0; i< 500; i++){
consArray.push("5025303");
}
consArray.push("5053041");
var args = new Object();
args.consNo = consArray;
printNoSelect(args);
}
function printNoSelect(args, preview) {
var params = "";
if (args) {
for ( var prop in args) {
params = params + "&" + prop + "=" + args[prop];
}
}
var url = "http://localhost:8088/learn-web/helloWorld/postRequest.do?U="
+ (new Date()).getTime() + params;
PostWindow(url, args, '打印预览');
}
/**
* 以post方式打开新页面
* @param url
* @param data
* @param name
*/
function PostWindow(url, data, name) {
var tempForm = document.createElement("form");
tempForm.id = "tempForm1";
tempForm.method = "post";
tempForm.action = url;
tempForm.target = name;
for ( var prop in data) {
var hideInput = document.createElement("input");
hideInput.type = "hidden";
hideInput.name = prop;
hideInput.value = data[prop];
tempForm.appendChild(hideInput);
}
document.body.appendChild(tempForm);
tempForm.submit();
document.body.removeChild(tempForm);
}
</script>
</html>
@RequestMapping("/testPost")
public String testPost(Model m, HttpServletRequest req) {
m.addAttribute("consNo", "");
return "testPost";
}
@RequestMapping("/postRequest")
@ResponseBody
public String postRequest(HttpServletRequest req, HttpServletResponse res) {
Map rptParas = new HashMap();
Map parasMap = req.getParameterMap();
Iterator it = parasMap.entrySet().iterator();
while (it.hasNext()) {
Map.Entry entry = (Map.Entry) it.next();
Object key = entry.getKey();
Object value = entry.getValue();
if ((key instanceof String) && (value instanceof String[])) {
rptParas.put((String) key, ((String[]) (String[]) value)[0]);
}
}
System.out.print(rptParas.get("consNo").toString().split(",").length);
return "1";
}
- 2. Packet capture analysis
- 3. Source code analysis
to sum up
Business aspect
-
1. To transfer data in batches, if you select all in batches, you do not need a single ID information.
-
2. If there are only a few batches of information that are not checked, you can try to pass the unchecked information, and then go to the backend to filter these IDs.
-
3. There are many ways to reduce the volume of parameter data, and the communication efficiency will be greatly improved.
Testing aspect
-
1. When testing, clear the cache and test again.
-
2. If you suspect that it is caused by a certain cause during the test, change the cause and test it several times. It is definitely not safe to test it again.
-
3. The environment must be synchronized when testing with multiple people, otherwise the feedback information will be inaccurate.